[ubuntu/noble-proposed] nodejs 18.13.0+dfsg1-1.1ubuntu1 (Accepted)

Gianfranco Costamagna locutusofborg at debian.org
Thu Nov 23 09:02:18 UTC 2023 

nodejs (18.13.0+dfsg1-1.1ubuntu1) noble; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Use gold linker on arm64 to fix a link failure
    - Still use Ubuntu openssl patch and approach, the Debian one
      makes testsuite fail.
    - Fix offset by one in one new test

nodejs (18.13.0+dfsg1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Adapt testsuite failures in test-crypto-dh since OpenSSL 3.0.12/3.1.4
    (Closes: #1055416).
  * Adapt testsuite failures due TLSv < 1.1 available only at seclevel 0
    (Closes: #1052470).
  * CVE-2023-23919 (Node.js OpenSSL error handling issues in nodejs crypto
    library). (Closes: #1031834).
  * CVE-2023-23920 (Node.js insecure loading of ICU data through ICU_DATA
    environment variable) (Closes: #1031834).
  * CVE-2023-30590 (DiffieHellman do not generate keys after setting a private
    key) (Closes: #1039990).
  * CVE-2023-30589 (HTTP Request Smuggling via Empty headers separated by CR)
   (Closes: #1039990).
  * CVE-2023-30588 (Process interuption due to invalid Public Key information
    in x509 certificates) (Closes: #1039990).
  * CVE-2023-32559 (Permissions policies can be bypassed via process.binding)
    (Closes: #1050739).
  * CVE-2023-30581 (mainModule.proto bypass experimental policy mechanism)
    (Closes: #1039990).
  * CVE-2023-32002 (Permissions policies can be bypassed via Module._load)
    (Closes: #1050739).
  * CVE-2023-32006 (Permissions policies can impersonate other modules in
    using module.constructor.createRequire()) (Closes: #1050739).
  * CVE-2023-38552 (Integrity checks according to policies can be
    circumvented) (Closes: #1054892).
  * CVE-2023-39333 (Code injection via WebAssembly export names)
    (Closes: #1054892).

Date: Thu, 23 Nov 2023 10:00:47 +0100
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1.1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 23 Nov 2023 10:00:47 +0100
Source: nodejs
Built-For-Profiles: noudeb
Architecture: source
Version: 18.13.0+dfsg1-1.1ubuntu1
Distribution: noble
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Closes: 1031834 1039990 1050739 1052470 1054892 1055416
Changes:
 nodejs (18.13.0+dfsg1-1.1ubuntu1) noble; urgency=low
 .
   * Merge from Debian unstable. Remaining changes:
     - Use gold linker on arm64 to fix a link failure
     - Still use Ubuntu openssl patch and approach, the Debian one
       makes testsuite fail.
     - Fix offset by one in one new test
 .
 nodejs (18.13.0+dfsg1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Adapt testsuite failures in test-crypto-dh since OpenSSL 3.0.12/3.1.4
     (Closes: #1055416).
   * Adapt testsuite failures due TLSv < 1.1 available only at seclevel 0
     (Closes: #1052470).
   * CVE-2023-23919 (Node.js OpenSSL error handling issues in nodejs crypto
     library). (Closes: #1031834).
   * CVE-2023-23920 (Node.js insecure loading of ICU data through ICU_DATA
     environment variable) (Closes: #1031834).
   * CVE-2023-30590 (DiffieHellman do not generate keys after setting a private
     key) (Closes: #1039990).
   * CVE-2023-30589 (HTTP Request Smuggling via Empty headers separated by CR)
    (Closes: #1039990).
   * CVE-2023-30588 (Process interuption due to invalid Public Key information
     in x509 certificates) (Closes: #1039990).
   * CVE-2023-32559 (Permissions policies can be bypassed via process.binding)
     (Closes: #1050739).
   * CVE-2023-30581 (mainModule.proto bypass experimental policy mechanism)
     (Closes: #1039990).
   * CVE-2023-32002 (Permissions policies can be bypassed via Module._load)
     (Closes: #1050739).
   * CVE-2023-32006 (Permissions policies can impersonate other modules in
     using module.constructor.createRequire()) (Closes: #1050739).
   * CVE-2023-38552 (Integrity checks according to policies can be
     circumvented) (Closes: #1054892).
   * CVE-2023-39333 (Code injection via WebAssembly export names)
     (Closes: #1054892).
Checksums-Sha1:
 5ab60ab12748fe011d04111163675de67b7a11e1 4174 nodejs_18.13.0+dfsg1-1.1ubuntu1.dsc
 fd917a35e698890992c61cef96aed1e2ff7bcb48 197096 nodejs_18.13.0+dfsg1-1.1ubuntu1.debian.tar.xz
 ee642c4324955e626720035f267e9f410032760a 11591 nodejs_18.13.0+dfsg1-1.1ubuntu1_source.buildinfo
Checksums-Sha256:
 7517c96c0c43b6a25e6ce041535955ec6552846450d84468516c865bd1633a45 4174 nodejs_18.13.0+dfsg1-1.1ubuntu1.dsc
 a8176c729466b1c342a0bf7817a13b91d11753adfffdaeabd0f22173fc57d587 197096 nodejs_18.13.0+dfsg1-1.1ubuntu1.debian.tar.xz
 10157785414c0b27bd50e5bd9d72b7867ce8ea5d7f6380273f84778b179e8c7b 11591 nodejs_18.13.0+dfsg1-1.1ubuntu1_source.buildinfo
Files:
 7d5794d5ae461446db86d821f35bb3bb 4174 javascript optional nodejs_18.13.0+dfsg1-1.1ubuntu1.dsc
 8437413e4bacea17d48e24ffca9acba9 197096 javascript optional nodejs_18.13.0+dfsg1-1.1ubuntu1.debian.tar.xz
 5c326286924cb596910f70d85ba56980 11591 javascript optional nodejs_18.13.0+dfsg1-1.1ubuntu1_source.buildinfo
Original-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel at alioth-lists.debian.net>

More information about the noble-changes mailing list